h hoge.gg
Subscribe
BTC$67,432.18+2.34%ETH$3,521.44+1.08%SOL$178.62-0.62%BNB$612.30+0.41%XRP$0.6234-0.18%ADA$0.4521+3.12%DOGE$0.1623+1.86%AVAX$38.71-1.24%LINK$17.84+0.92%HOGE$0.00004120+4.21%
BTC$67,432.18+2.34%ETH$3,521.44+1.08%SOL$178.62-0.62%BNB$612.30+0.41%XRP$0.6234-0.18%ADA$0.4521+3.12%DOGE$0.1623+1.86%AVAX$38.71-1.24%LINK$17.84+0.92%HOGE$0.00004120+4.21%
● AI x Crypto

zkML Explained: How Zero-Knowledge Proofs Verify AI

Zero-knowledge machine learning proves an AI model ran honestly, without redoing the work or exposing its weights. Here's how far zkML has come, and where it still breaks down.

What Is zkML, and Why Is Everyone Suddenly Talking About It

Zero-knowledge proofs became well known for hiding information: a prover can convince a verifier that a statement is true, I know this password, I have enough funds, I am over a certain age, without revealing the underlying data. That is the privacy half of the technology, the half behind privacy coins like Zcash. The other half, less discussed but arguably more important to how crypto infrastructure is being rebuilt in 2026, is validity: a prover can convince a verifier that a computation was executed correctly, cheaply enough that the verifier never has to redo the work itself. That second property is the entire basis of every zk-rollup currently scaling Ethereum.

zkML, short for zero-knowledge machine learning, applies that validity property to neural networks. A prover runs a model, an image classifier, a credit-scoring network, a large language model, on some input, and produces both an output and a compact cryptographic proof that the stated model produced that output from that input by following the actual computation graph, with no shortcuts and no quiet substitution. A smart contract, or anyone else, can check that proof in a fraction of a second. The verifier does not need to own the hardware the model ran on, and depending on how the circuit is built, does not need to see the model’s weights or the raw input data either.

Why does this matter specifically in mid-2026? Because the default assumption crypto is built on, do not trust a counterparty, verify the computation yourself, is colliding with an AI industry built on the opposite assumption: trust the lab that trained the model, trust the API that served it, trust that nobody swapped in a cheaper or compromised version behind the scenes. Autonomous AI agents now hold their own wallets and sign their own transactions. Lending protocols are experimenting with model-driven credit decisions. Prediction markets increasingly lean on an AI’s read of an ambiguous event to resolve a bet. In every one of those cases, the party on the other side has no built-in way to check that the AI actually did what it claims, unless something like zkML exists to check it for them.

That is the pitch. The rest of this piece covers how far the technology has actually gotten toward delivering on it, who is building it, and where it still falls short.

The Trust Problem: Vitalik Buterin’s Four Categories of Crypto Plus AI

The clearest framing of why any of this matters came from Ethereum co-founder Vitalik Buterin, in a January 2024 essay that remains the reference point most builders in this space cite. Buterin split crypto-plus-AI applications into four categories, roughly ordered by how tractable and safe each is today: AI as a player in a game, where an AI is just another participant inside a mechanism whose incentives ultimately come from human-designed rules, a trading bot, a chess opponent, an agent bidding in an auction; AI as an interface to the game, where an AI helps a human understand and safely interact with crypto systems without getting tricked; AI as the rules of the game, where contracts or DAOs call directly into an AI’s judgment, an “AI judge” arbitrating a dispute, for instance; and AI as the objective of the game, the far more speculative idea of using crypto mechanisms to build and sustain an AI in the first place.

The first and third categories are where verifiability stops being a nice-to-have and becomes the whole point. If an AI is a player whose moves determine who gets paid, or a judge whose ruling is treated as final, everyone downstream needs assurance that the AI’s stated output actually came from running the stated model honestly, rather than from an operator quietly overriding it. That assurance is exactly what zkML is trying to sell.

Buterin was equally direct about the cost of buying it. Describing the overhead of turning a neural network into a zero-knowledge circuit, he wrote that “the best implementations in practice show overhead of around 200x” for the non-linear layers that make up most of a modern network, while noting that purely linear operations like matrix multiplication can be proven far more cheaply. Two hundred times is not a rounding error. It means a computation that runs in milliseconds natively can take the better part of a second to prove, and a computation that takes a second natively can take minutes. That single number explains most of the rest of this article: why zkML has shipped for small models and narrow use cases well before it has shipped for anything resembling a frontier model.

How zkML Actually Works: From Neural Network to Arithmetic Circuit

Set the cryptography aside for a moment and look at the pipeline most zkML systems share. A model is usually exported first to ONNX, the open, framework-neutral format that lets a network trained in PyTorch or TensorFlow be read by other tools without retraining it. EZKL and Giza’s Cairo-based tooling both standardize on ONNX for exactly this reason: it means a developer does not need to rebuild their model in a cryptography-specific language just to make it provable.

The next step is quantization, converting the model’s 32-bit floating point weights and activations into fixed-point integers, because the finite field arithmetic that zk-SNARKs and zk-STARKs operate over has no native concept of a floating point number. This is the step where accuracy quietly leaks away. As Elena Burger, a deal partner at a16z crypto, put it in an early but still widely cited breakdown of the field, converting a model into a circuit means “accuracy and fidelity may suffer in the process,” since native 32-bit float operations create what she called massive overheads, pushing developers toward 8-bit quantized models that are, in her words, “crude approximations” of the original network. Get the quantization wrong and the proof can be perfectly valid while certifying an answer the original, unquantized model would never have produced.

Once quantized, each layer of the network is translated into an arithmetic circuit, a set of polynomial constraints a proving system can check. Simple linear operations, matrix multiplications and convolutions, translate fairly cleanly. The expensive part is everything non-linear: ReLU, sigmoid, softmax, and the attention mechanism that defines every modern transformer. None of those map naturally onto polynomial arithmetic, so provers lean on lookup tables and range-check tricks to approximate them inside the circuit, a major reason proving a transformer’s attention layer costs so much more than proving a simple classifier’s dense layers. A body of 2026 research, including a lookup-argument scheme called Jolt Atlas, targets exactly that cost, though it remains a research direction rather than something deployed at production scale yet.

Only after all of that does the proving system itself run, Halo2 and Plonkish arithmetization for EZKL, STARKs for Giza’s Cairo-based tooling, a custom sumcheck-based protocol for Lagrange’s DeepProve, turning the circuit and a specific input into a succinct proof. Verifying that proof, whether on an Ethereum smart contract, inside a browser via WebAssembly, or from the command line, then takes a small fraction of the time the original proof generation did.

The Benchmark Reality: What Cost of Intelligence Taught the Industry

The field’s founding benchmark came from Modulus Labs, in a January 2023 paper titled The Cost of Intelligence, later archived on the IACR’s ePrint server. Backed by an Ethereum Foundation grant, the paper was, by its authors’ own account, the first attempt to benchmark zero-knowledge proof systems, Groth16, Gemini, Winterfell, Halo2, Plonky2, and zkCNN, against a common suite of neural networks rather than one-off demos. The headline result at the time: proving an 18-million-parameter multilayer perceptron took around 50 seconds on a powerful cloud machine using Plonky2. The paper’s own conclusion was blunt: production-grade use cases would need several more orders of magnitude of improvement before zkML could handle anything resembling a real-world model.

Measured against that starting point, 2026 looks like genuine progress, even if the finish line has not moved as close as some marketing suggests. EZKL, built by Jason Morton’s team at Zkonduit, reached a 1.0 release supporting ONNX models up to roughly 50 million parameters, and can prove an MNIST-sized image classification inference in under a second using less than 180 megabytes of memory, verifiable on the Ethereum Virtual Machine, from the command line, or in a browser via WebAssembly. Lagrange Labs went further up the size curve: in August 2025, its DeepProve system became the first to generate a full zero-knowledge proof of an actual large language model’s inference, OpenAI’s GPT-2 (whose smallest published configuration has around 124 million parameters), covering the multi-head attention, layer normalization, softmax, and quantization steps that make transformer proving so much harder than proving a simple classifier. Lagrange’s own published figures claim DeepProve is up to 1,000 times faster at proof generation, up to 671 times faster at verification, and up to 1,150 times faster at one-time setup than its prior baseline, with more than 13 million proofs generated on its network by mid-2026.

Read those numbers carefully, though. Frontier models from the major labs are somewhere between one and two orders of magnitude larger than GPT-2, with attention patterns and mixture-of-experts routing that add complexity DeepProve has not yet tackled publicly. Proving a GPT-2-class model in zero-knowledge is a genuine milestone. It is not evidence that proving a frontier chat model is imminent.

Mapping the zkML Stack: Who Is Building What

A handful of teams account for nearly everything shipping in this space today, and each has made a different bet on proving system, target model size, and business model.

ProjectProving SystemWhat It TargetsFunding / Token Status
EZKL (Zkonduit)Halo2, Plonkish (zk-SNARK)General ONNX models up to about 50 million parameters; client-side and on-chain verificationSeed funding from Bloomberg Beta, Lemniscap, Symbolic Capital; no token
Modulus LabsBenchmarked across Groth16, Plonky2, Halo2, zkCNN and othersOn-chain AI demos and proof-system benchmarking (Leela vs the World, RockyBot)Ethereum Foundation grant-funded research; no token
GizaSTARKs via Cairo (originally Orion, since succeeded by a newer engine called LuminAIR)Verifiable ML and agent tooling on StarknetEarly-stage VC funding (CoinFund, StarkWare); GIZA token live
Lagrange Labs (DeepProve)Custom sumcheck-based zkML proverProving full LLM inference (GPT-2 shipped; Llama-class models in progress)Crypto VC-backed; token live
Mina ProtocolKimchi/Pickles recursive SNARKs via the o1js zkML libraryVerifiable, privacy-preserving inference settled on a lightweight blockchainEstablished Layer 1; MINA token
AxiomHalo2-based zk coprocessor (adjacent to zkML; not model-inference specific)Trustless access to historical Ethereum data and arbitrary compute for smart contracts$20 million raised, led by Paradigm and Standard Crypto

Two things stand out. First, nobody has cracked proving a frontier-scale model yet, every team is targeting a different slice of the small-to-mid-size range instead. Second, funding here is modest by AI industry standards, seed to low-Series-A amounts for most of these teams, reflecting how early and narrow the paying use cases still are relative to mainstream AI infrastructure spending.

Real Deployments: Chess Bots, Iris Codes, and a Proven GPT-2

Demos are cheap; production use is not. A short list of what has actually reached real users, as opposed to a testnet or a conference talk, is worth walking through precisely because it is so short.

Modulus Labs built Leela vs the World, billed as the first on-chain AI game: the community bets for or against an AI opponent, based on the open-source Leela Chess Zero engine, in a live chess match, with every one of the AI’s moves proven and verified on-chain so that neither side can claim the operator swapped in a stronger or weaker model mid-game. The same team built RockyBot, an autonomous trading agent whose decisions are verified before it commits capital, an early, small-scale version of exactly the verifiable-agent pattern the rest of the industry is now chasing at much larger scale.

The most-used zkML-adjacent deployment in the world, though, is probably one people do not immediately associate with the term. World (the identity network formerly branded Worldcoin) uses zero-knowledge proofs to let a person prove they are a unique human, via an iris scan at an Orb, without revealing the biometric data itself. Where that system touches zkML specifically is in how it handles algorithm upgrades: rather than requiring every enrolled user to revisit an Orb every time the iris-recognition model improves, World’s own engineering writeup describes using zkML-style techniques so a device can generate a local proof that a new iris code was correctly derived from the old one, upgrading the underlying model without a full re-enrollment. It is a narrow application, but it runs against a large, real user base rather than a demo audience.

A related use case getting real attention in 2026, though still mostly at the research and pilot stage rather than full production, is verifiable oracles. Price feeds and other off-chain data increasingly pass through some kind of model, an anomaly filter or a manipulation detector, before being published on-chain, and a corrupted or manipulated feed has caused real, well-documented losses across DeFi, a pattern HOGE Wire has covered in detail in how DeFi’s price feeds get attacked. Proving that an oracle’s filtering model ran honestly does not stop every manipulation vector, an attacker can still corrupt the underlying market the oracle reads from, but it closes off one specific failure mode: an operator quietly weakening their own detection model under pressure or for profit.

The thread running through all of these: every zkML use case that has actually shipped either targets a small model, or proves one narrow slice of a larger pipeline, rather than a full frontier system end to end.

zkML vs TEEs vs Optimistic ML vs Crypto-Economic Security

zkML is not the only way to get a verifiable answer out of an AI model, and in practice it is currently the slowest and most expensive of its rivals, which is a large part of why so much of the verifiable-AI activity in 2026 is happening in the other three approaches instead.

ApproachTrust BasisRepresentative ProjectsMain Tradeoff
Zero-knowledge proofs (zkML)Cryptographic math aloneEZKL, Giza, Lagrange DeepProve, MinaStrongest guarantee available, but overhead of hundreds of times the native computation still rules out frontier-scale models
Trusted execution environments (TEE)Tamper-resistant hardware plus vendor attestationIntel TDX, Nvidia H100 confidential computing, Phala NetworkFast and cheap enough for production today, but the guarantee ultimately rests on trusting the chipmaker and the absence of a side-channel exploit
Optimistic ML (opML)Economic incentive plus a challenge windowOraCheap, but final answers are not instant; they wait out a dispute period and need at least one honest party watching for fraud
Crypto-economic securityStaked capital plus slashingEigenCloud (EigenAI, EigenCompute), BoundlessThe guarantee is that cheating costs more than it pays, an economic argument rather than a mathematical one

Restaking is the mechanism doing most of the work in that last row: take capital already staked to secure Ethereum and extend its economic security to a new job, in this case backing claims about AI computation instead of consensus. Readers who want the fuller mechanics of how that capital gets reused across services can find them in HOGE Wire’s beginner’s guide to restaking; the short version for this piece is that EigenCloud, the rebranded EigenLayer, now runs EigenAI and EigenCompute, a product line whose own materials describe an OpenAI-compatible inference API claiming bit-exact deterministic execution of LLM inference on GPUs at scale, alongside a Docker-based execution product secured by a trusted execution environment, putting crypto-economic and hardware-based verification behind the same product rather than choosing one.

Ritual is a useful example of a project refusing to pick a single lane. Its architecture combines a dedicated execution layer, the Ritual Superchain, with security bootstrapped from Ethereum restaking, alongside a stated roadmap that leans on multiple verification methods rather than committing to zkML alone; HOGE Wire has covered Ritual’s broader architecture in more depth. The pattern repeats across the industry in 2026: pure zkML shows up in demos and narrow, high-value proofs, while production systems that need speed today reach for TEEs, opML, or crypto-economic security, often two of the three stacked together. Researchers have taken to calling the underlying constraint a “verifiability trilemma,” pick two of integrity, latency, and cost, and a body of 2026 work on so-called Optimistic TEE-Rollups, pairing a TEE for fast finality with optimistic fraud proofs and occasional zero-knowledge spot checks, is explicitly trying to buy back the third.

The Hardware Race: GPUs, Provers-for-Hire, and Decentralized Proving Networks

Every tradeoff described above traces back to one fact: generating a zero-knowledge proof is far more computationally demanding than the computation it is proving. That has turned who owns and operates the proving hardware into its own competitive layer, separate from the zkML frameworks themselves.

Two general-purpose proof marketplaces have emerged as infrastructure a growing share of zkML and other zk-application builders plug into, rather than running their own prover farms. Boundless, built by the RISC Zero team, launched its mainnet on Base and runs on a design its own materials call Proof of Verifiable Work, rewarding provers based on the quantity, speed, and complexity of the proofs they generate, and is deliberately protocol-agnostic rather than locking developers into one proving system. Shiv Shankar, Boundless’s CEO, described the goal at launch this way: developers on any chain can “access abundant zero-knowledge compute to build complex applications that scale across ecosystems without sacrificing decentralization.” Succinct runs a comparable marketplace around its SP1 zkVM, secured by its own PROVE token, with holders staking against the correctness of the proofs the network produces.

Both networks have real, if still small, tokens attached. Boundless’s ZKC trades around $0.044, valuing the network near $12.8 million, down sharply from an all-time high of $1.78, while Succinct’s PROVE has followed a similar arc, trading well below its own all-time high. Those figures are a reminder that infrastructure a whole industry might eventually route through and a token that has found a stable, rational price are two very different claims, and 2026’s zk-infrastructure tokens have, so far, only really made good on the first one.

The GPU question sits underneath all of this. Provers increasingly run on the same GPU hardware that trains and serves the underlying models, putting zkML in loose competition with every other GPU-hungry corner of crypto, including the decentralized GPU rental markets covered in HOGE Wire’s look at Akash Network’s marketplace bet. Industry commentary through 2026 has consistently pointed toward GPU-native proving, writing provers designed for GPU architectures from the ground up rather than simply running a CPU-designed prover on a GPU, and folding schemes, which combine many proofs into one before the expensive final step, as the two changes most likely to move the cost curve meaningfully over the next year or two. Neither is a solved problem yet; both are being worked on by essentially every team named in this article.

Why Autonomous AI Agents Need Something Like zkML

The clearest near-term commercial case for all of this is not a chatbot, it is the autonomous AI agent that already holds a wallet. On-chain AI agents now number in the hundreds of thousands, transacting through payment rails like Coinbase’s x402 protocol and Google’s Agent Payments Protocol, and the core vulnerability they share is prompt injection: an attacker hides an instruction inside data the model processes, a message, a file, a smart contract’s return value, that the model cannot reliably distinguish from a legitimate command. In one widely reported May 2026 incident, an attacker used a gifted NFT to unlock elevated permissions on an AI trading agent built on the Bankr platform, then triggered a transfer of tokens worth roughly $150,000 to $200,000 through an instruction hidden in Morse code inside a social media reply.

zkML does not fix that particular problem. Proving that a model faithfully executed its own weights on a given input says nothing about whether that input was safe to act on in the first place; a perfectly executed forward pass over a poisoned prompt still produces a malicious transaction, just a provably malicious one. What zkML, or one of its TEE- or restaking-based cousins, can do is close a different, narrower gap: letting a counterparty verify which model and which policy actually ran, so an operator cannot quietly downgrade to a cheaper or compromised model while claiming the audited one is still in production. That is exactly Vitalik Buterin’s “AI as a player in a game” category from earlier in this piece, an agent executing a strategy inside a mechanism, which is why it is the category most people building verifiable-agent infrastructure in 2026 are targeting first, rather than harder problems like an AI judge ruling on a dispute.

EigenAI, the OpenAI-compatible inference API mentioned earlier that claims bit-exact deterministic execution of LLM inference on GPUs at scale, is one concrete 2026 attempt to bring a version of this guarantee to agent infrastructure, though it currently leans on deterministic execution plus TEE attestation rather than zero-knowledge proofs. That choice is not an accident. It is the same hybrids-win-for-now pattern from earlier in this piece, applied to the exact use case, agent verification, where pure zkML would in theory be most valuable and is, today, least ready.

Tokens, Funding, and the Market Around Verifiable AI

Funding across this sector remains modest relative to how much attention it draws. EZKL’s parent company has raised seed funding from backers including Bloomberg Beta, Lemniscap, and Symbolic Capital. Giza raised early funding led by CoinFund, with Starknet’s core development company, StarkWare, among the participants, and later added a larger seed round. Axiom, whose zk coprocessor is adjacent to zkML rather than a model-inference prover itself, raised a larger $20 million round led by Paradigm and Standard Crypto. Ritual, positioning itself as broader AI-native chain infrastructure rather than a zkML tool specifically, raised a $25 million Series A led by Archetype.

Only a few of these projects have a liquid token to look at. Giza’s GIZA trades around $0.0186, valuing the network at roughly $1.4 million, more than 96 percent below the all-time high of $0.4871 it set earlier in its life. That is a steeper drawdown even than the proof-marketplace tokens covered in the previous section, and it illustrates a pattern that has repeated across nearly every AI-crypto sub-sector in 2026: speculative interest arrives well before the underlying technology has paying, sustained demand to support it. Ritual, despite being one of the more heavily funded and discussed projects in this entire piece, had not launched a public token as of mid-2026, running testnet incentive programs instead while its Superchain execution layer remains in development.

None of this is a judgment on whether the technology works. It is a reminder that in this sector, as in most of crypto’s AI corner, token performance and technical progress are only loosely correlated, and reading one off the other is a reliable way to be wrong about both.

The US Regulatory Backdrop: SEC, CFTC, and the CLARITY Act

None of the code described in this piece is, by itself, a security. A proving library, an ONNX-to-Halo2 compiler, a verifier contract sitting on Ethereum, none of that resembles an investment contract under the Howey framework the SEC has used for decades. What is squarely inside the US regulatory perimeter is the tokens that fund several of these networks and, increasingly, the question of who is liable when a verifiably-executed AI agent still does something harmful.

2026 has been an unusually active year for that perimeter. On March 11, SEC Chairman Paul Atkins and CFTC Chairman Michael Selig signed a memorandum of understanding committing the two agencies to coordinate on crypto oversight, describing the goal as a “minimum effective dose” of regulation. Days later, on March 17, the two agencies jointly issued an interpretation of how federal securities laws apply to crypto assets, sketching a working taxonomy of digital commodities, digital collectibles, digital tools, stablecoins, and digital securities. Separately, the Digital Asset Market Clarity Act, generally known as the CLARITY Act, passed the Senate Banking Committee on May 14, 2026; HOGE Wire has covered what the bill would actually change in detail, but the short version is that it would give the CFTC primary jurisdiction over digital commodities and the platforms that list them, while leaving the SEC’s authority over tokens that function as investment contracts intact.

Where would a token like GIZA, ZKC, or PROVE plausibly sit inside that emerging taxonomy? None of them have been the subject of an SEC enforcement action or a formal classification as of this writing, so any answer here is an illustrative reading rather than a settled one. A token whose primary function is paying for network resources, proving compute, verification, storage, rather than representing a claim on a common enterprise’s profits, looks more like the digital commodity category the CFTC would end up supervising under the CLARITY Act’s framework, broadly analogous to how ETH itself is now treated. That reading depends heavily on facts the SEC has said it will keep assessing case by case, how a token was marketed, how concentrated its ownership is, and how much of its value depends on a central team’s ongoing efforts, so it is a reasonable expectation rather than a guarantee.

What neither agency’s 2026 activity addresses is AI-specific liability. Classifying a token as a commodity says nothing about who is responsible when the AI agent that token pays for still executes a harmful instruction, cryptographically proven or not. That question remains entirely a matter of ordinary liability law resting on whoever deployed the agent, in the US just as much as under the EU’s MiCA framework, and none of the zkML infrastructure described in this piece changes that.

What zkML Still Cannot Do

It cannot touch frontier models yet. The largest model proven end to end in zero-knowledge as of mid-2026 is roughly GPT-2 scale. Models from the largest labs run one to two orders of magnitude bigger, with mixture-of-experts routing and attention patterns that make the non-linear proving problem described earlier substantially worse, not just larger.

It runs into a determinism problem that has nothing to do with cryptography. Most production LLM inference on GPUs is not bit-for-bit reproducible by default, floating point addition is not associative, and the order operations get reduced in varies with batch size, hardware, and parallelization strategy, so the same model and the same input can legitimately produce slightly different outputs from one run to the next. Zero-knowledge circuits need a single, fixed execution trace to prove against. Some projects solve a version of this problem without zero-knowledge proofs at all: Gensyn’s RepOps framework, for instance, enforces a fixed reduction order and correctly rounded math so identical calculations on different hardware produce bitwise-identical results, a crypto-economic and engineering fix rather than a cryptographic one, though it shows how much scaffolding sits underneath even getting to the starting line for a proof.

It essentially does not touch training. Everything described in this article proves inference, a single forward pass through an already-trained model. Proving that a model was honestly trained on a claimed dataset, without cherry-picking, poisoning, or simply misrepresenting what data was used, is a much larger, largely unsolved problem, and almost nobody in this space claims otherwise.

It is still expensive even where it works. Buterin’s 200x figure for non-linear layers, cited earlier, is closer to a floor than a ceiling for many real workloads. That overhead means zkML makes economic sense today only where the value of the proof itself, regulatory comfort, a betting market’s integrity, a lending protocol’s risk model, clearly exceeds paying several hundred times the cost of just running the model. It is not yet a general-purpose substitute for trusting an API response.

And it sits in tension with privacy, its own namesake. Proving a model ran correctly typically requires committing to, cryptographically hashing, its exact weights ahead of time, and some circuit constructions reveal more about a model’s internal structure than a team building a proprietary product would want exposed. Zero-knowledge describes what the proof can hide from a verifier; it does not mean the whole system is privacy-preserving by default.

What to Watch Next

A short list of the specific developments that would actually move zkML from narrow and promising to broadly deployed, without pretending to know which of them will happen on any particular date.

  • Whether Lagrange, EZKL, or a new entrant proves a genuinely large open-weight model, something in the multi-billion-parameter range, end to end, closing meaningfully more of the gap between GPT-2 scale and frontier scale than exists today.
  • Whether the GPU-native provers and folding schemes that nearly every team in this piece is working on deliver their promised speedups in benchmarks other people can reproduce, rather than only in a vendor’s own blog post.
  • Whether hybrid designs, a TEE for speed, an optimistic challenge window for cost, occasional zero-knowledge spot checks for the strongest guarantee where it matters most, become the accepted standard for verifying AI agents before pure zkML gets fast enough to do the whole job alone.
  • Whether Ritual, Giza, or a comparable AI-native chain ships a mainnet or token with enough real usage to force the SEC and CFTC’s emerging taxonomy to actually be applied to an AI-verification token, rather than debated about one in the abstract.
  • Whether any regulator, in the US or elsewhere, starts addressing AI-agent liability directly rather than only the token classification questions covered earlier, since a cryptographically verified agent that still causes harm remains, legally, its deployer’s problem to answer for.

None of these are close to certain. But they are specific and checkable, which is more than can be said for most of the claims made about verifiable AI in 2026.

Frequently Asked Questions

What does zkML actually prove?

It proves that a specific, committed-to model produced a specific output from a specific input by following the claimed computation, without the verifier needing to re-run the model itself, and depending on the setup, without revealing the model’s weights or the input data. It does not prove the model is accurate, unbiased, or that its output is true, only that the claimed computation genuinely happened as described.

Is zkML the same thing as World’s proof of personhood?

No. World’s Orb-based system uses zero-knowledge proofs to let someone prove they are a unique human without revealing their iris scan, which is primarily a privacy application of the underlying cryptography. It touches zkML specifically in a narrower way, allowing the iris-recognition algorithm to be upgraded by proving locally that a new iris code was correctly derived from an old one, without requiring users to revisit an Orb for a fresh scan.

Can zkML prove that a model like ChatGPT produced a specific answer?

Not yet, and not in the near term. The largest model proven end to end in zero-knowledge as of mid-2026 is roughly GPT-2 scale, achieved by Lagrange Labs’ DeepProve system. Frontier models from major labs are one to two orders of magnitude larger and use attention and routing mechanisms that are especially expensive to represent as arithmetic circuits.

What is the difference between zkML and a trusted execution environment?

zkML relies on cryptographic math, so its guarantee holds even if the verifier trusts nobody but the proof system itself. A trusted execution environment, such as Intel’s TDX or Nvidia’s confidential computing mode, relies on tamper-resistant hardware, so its guarantee ultimately rests on trusting the chip vendor and the absence of a side-channel exploit. TEEs are far cheaper and faster today; zkML makes the stronger claim but at a much higher computational cost.

Are there tokens tied to zkML, and how have they performed?

Yes, though none function as a pure play on inference-proving demand specifically. Giza’s GIZA token and proof-marketplace tokens like Boundless’s ZKC trade actively, and both have followed the steep boom-then-drawdown pattern common across the AI-crypto sector in 2026, with GIZA trading more than 95 percent below its all-time high as of mid-2026.

Written by the HOGE Wire research desk, covering crypto infrastructure and the intersection of AI and blockchain.

Share 𝕏 Post Telegram